Visibility across cloud and hybrid environments remains one of cybersecurity’s most persistent challenges. Organizations continue to struggle with insight and telemetry as they connect multiple clouds, deploy different tenancies for different systems, and manage increasingly complex hybrid architectures. Major cloud providers don’t offer comprehensive visibility tools, making third-party solutions critical for practical threat intelligence and security monitoring. The challenge intensifies as organizations face a fundamental coverage problem: whether in the cloud or on-premises, teams need proper telemetry to sense what’s happening in their networks, make meaning from it, and take meaningful action.
In this episode, Franz Fiorim, field CTO at Trend Micro, explains how Trend Vision One consolidates multiple cloud security tools across AWS, GCP, Azure, Oracle Cloud, and Alibaba Cloud to streamline management, automate controls, and reduce integration overhead. Joining him are Nick Espinosa, host of the Deep Dive Radio Show, and Jason Shockey, CSO at Cenlar FSB.
Want to know:
- Why do organizations still struggle with cloud visibility despite years of cloud adoption?
- How does Trend Micro reconcile security visibility with privacy laws across different jurisdictions?
- What security frameworks does Trend Micro use to measure and define acceptable risk?
- How does cyber risk quantification tie technical security metrics to business impact analysis?
- What questions help determine the financial impact of potential security incidents?
- How long does implementation take for fully cloud versus hybrid environments?
- What safeguards prevent overdependence on a single security vendor?
- Where does Trend Micro draw the line between automated decision-making and human oversight?
- How does Trend Micro protect AI infrastructure and prevent sensitive data exposure in prompts?
Got feedback? Join the conversation on LinkedIn.
Huge thanks to our sponsor, Trend Micro
Full Transcript
Intro
0:00:000
[Voiceover] Connecting security solutions with security leaders. Security You Should Know starts now.
[Rich Stroffolino] Welcome to Security You Should Know. I’m your host, Rich Stroffolino. Today, we’re talking with Trend Micro and what they’re doing in cloud security with their Trend Vision One platform. Now, the problem that they’re addressing, it is a big one in the industry, and it’s how do you get visibility across cloud and hybrid environments?
Helping us get answers and better understand this problem are Nick Espinosa, host of the Deep Dive Radio show, and Jason Shockey, CISO at Cenlar FSB. Nick, I’ll start with you. Why are we still having this visibility problem? It seems like we’ve had the cloud for a little while now, right?
[Nick Espinosa] We’ve definitely had it for a while, but I like to go back to 2017 on this one because the CSA or Cloud Security Alliance basically puts out a poll every year that asks corporations, do you trust the cloud or do you trust on-prem? And since 2017, more corporations have trusted basically the cloud.
We all know that we’ve all personally moved to the cloud, but corporations have always basically been behind this. And by virtue of that, as we are connecting one cloud to the other or we are putting up different types of tendencies for different types of systems and data, having insight and telemetry and visibility into the cloud that we are trusting more than we are not has always been a perpetual challenge.
And it doesn’t seem like the major providers out there are really offering these tools. So it becomes incredibly important to have these tools from third-party providers that are giving us good threat intelligence.
[Rich Stroffolino] Jason, what about for you? Why are we still struggling with this visibility problem?
[Jason Shockey] You have organizations that are on-prem, some are hybrid, some are all in the cloud, like we are. It really pays to be in the cloud. It does help because then you can take advantage of all the features that are available up in the cloud and cloud native applications and security.
Touched on a second ago, expectation, fear, uncertainty, doubt. The more breaches that occur, the less likely people are that are on-prem or even hybrid to get to the cloud to leverage these tools. So I think the coverage piece has always been a problem, whether you’re in the cloud or not.
So do you have the proper telemetry in place to actually sense what’s happening in your network to then make meaning about it and then take meaningful action? Those have always been a constant problem. And CNAP sounds like a technology that could really help us make leaps forward, not just steps.
Set the table
2:20.700
[Rich Stroffolino] Well, that’s why we’re so excited to be talking today with Franz Fiorim, the Field-CTO, at Trend Micro. Now, to start out, we’ve got to answer some of the preliminaries, help set the table here for our Q &A. So, Franz, how do you explain the value of your solution to a CEO, what does it do, what does it not do, and what is the pricing model?
Can you help us out here?
[Franz Fiorim] So first thing, Trend Micro is a company that is in the market for 36 years. That means it’s a long time. And we also have more than a thousand different patents. Specific about CNAP, it consolidates multiple cloud security tools, including, again, different cloud providers, for example, AWS, GCP, Azure, Oracle Cloud, Ali Cloud.
That means consolidate all of the security tools across major clouds. It streamline your team’s management risk, automate controls, secure the application from development to runtime and it will reduce integration overhead. They will give you DevOps and secured solutions to accelerate your cloud initiatives.
The result is simple operation, fewer silos, because again, we know that’s a lot of different silos and more predictable cost and performance at your scale. For the cost of the solution itself or the pricing, it’s public available in AWS Marketplace, Azure Marketplace or Google and it’s per seat, so it means any asset that you protected is how we’re charged you.
Discussion set up
3:41.700
[Rich Stroffolino] Fantastic. All right. So we’ve just touched on the broad strokes here, but I’m sure we have a lot of questions from our panelists. Jason, I’m going to start with you. What other questions do you have for Franz today?
[Jason Shockey] Ties on fear. So whenever you have someone that’s, let’s say, apprehensive about going to the cloud, let’s say they’re fully on-prem, how would you actually convince them or persuade them and make them feel comfortable with getting to the cloud so then they can use these advanced features like CNAP?
[Franz Fiorim] Thank you for the question, Jason. So first thing is we need to understand what kind of secured frameworks they are measuring their environment right now on premise. So majority of the customers is using NIST 800-53. There another ones using ISO, but again, make sure that we have all of the metrics that they’re measuring their environment today and apply the same thing for the cloud environment.
So again, doing the risk assessment of the entire environment they have on premise and then what their biggest fear is. For example, normally it’s like, “I don’t have control where is my data.” So make sure that we are validating all of the assets that they have as a critical asset, also checking DSPM, data posture management.
So for example, if you are following GDPR, you probably are concerned to bring those kind of data to cloud. So we need to check what environment you have there, what data you have there and then run those circuit frameworks.
[Jason Shockey] Yeah. One of the things that I always try to explain to people when I talk to the boards and executives that are non-technical is they’re apprehensive about going to the cloud. The cloud is just a fancy term for someone else’s computer.
And they take much better care of the computers than we do. So let’s go to the cloud, everybody.
[Rich Stroffolino] All right, Nick, jump in there. What questions do you have for Trend Micro today?
[Nick Espinosa] Yeah, yeah. I’m approaching this from a slightly different angle here. And I know that your platform is going to collect an enormous amount of telemetry to improve things like detection accuracy, those kinds of things. So how do you, as Trend Micro, reconcile the tension between like visibility for security and privacy for autonomy across jurisdictions with vastly different expectations of surveillance, privacy, laws, all these kinds of things as well?
A lot of the world is multi-tenancy and multinational and this a big issue.
[Franz Fiorim] Thank you for the question, Nick. Yeah, and it’s specific if you go across the globe. So we have specific security frameworks and regulations for specific countries, for example, Australia. You go to Union Europe, you have GDPR, South America is the same.
So first thing, when you are deploying our tenant, you can select what region you are deploying. So again, we are normally to tend to follow the most restrict regulation, but you can select where we are deploying our tenants to protect the specific environment.
And if you are a very well regulated environment, you can also host the entire platform. That means it’s hosted wherever you want to, including if you want to host it on premise or in your own cloud environment. And when you go to hybrid cloud, specific private cloud, it’s falling under the sovereign cloud.
Right now, that’s again, very well-known topic for Union Europe. That means you can also deploy the entire stack in your private cloud.
[Nick Espinosa] Right, right. And that makes sense because I think it then opens up, and I’ll ask one more quick one here then in that vein and I’ll turn over to you then, Jason. But how does Trend Micro define that acceptable risk? And do you believe that your tools should basically push customers towards a universal model of risk or allow for just insanely and incredibly individualized risk tolerance, given all of the information and threat intelligence they’d be getting from you?
[Franz Fiorim] Yeah, how to measure risk definitely is a challenge. We tend to follow two specific ones. So if you go to NIST 800-30, then NIST 800-60, so most of the securities vendors is a black box, how they measure the risk. We tend to follow, again, of the metrics that, again, the federal governments use in the US.
It’s public available so anyone can use it. So we follow those two ones. And the idea is to give you the risk between one and a hundred. So that means, and also compare with peers, industry. And you can see if you are going up or down the risk. We also add a kind of value impact.
That means if you have a bridge, for example, in a specific database, what will be the cost of that bridge? But with that, you need to answer a few questions because we cannot just give you a number. So it’s a thing that we need to work together. And you need to also help us to understand, “This is a critical data for me.
This is a critical service. So if it goes down, I can loss another, maybe one, two million.” But we can also help you with this monetization if something bad happens.
[Nick Espinosa] Right. Thank you.
[Jason Shockey] Yes. So you mentioned something which resonated with me, cyber risk quantification or CRQ. I think you said business resilience. Can you give me an example of the kind of questions that you’re going to ask to see if you could tie those business impact analyses to what we might be able to see in CNAP and then give action?
Because the reason for the ask is I spend a lot of time trying to translate complex technical topics to non-technical boards and non-technical regulators and say, “It’s going to cost you $25 million per hour if this goes down or if that goes down, it’s going to cost you $25 million per second,” or whatever the number might be.
How do you tie those two together? What questions are you asking?
[Franz Fiorim] Normally, how the critical is your data and again, checking the data, the service. So for example, imagine that you have a web application or we have maybe a store that all of your customers buy through it, again, e-commerce. If it goes down, it’s easy to track because you can see in the last month or so how much you sell through it.
So understanding critical asset, what is important for you and that one availability, if it’s also your concern about maybe it’s a breach. For example, you have cyber insurance. So that means normally you need to pay to have it and also you have the premiums for the cyber insurance due.
So that means we need to understand your business, understand how you are measuring your revenue. And the second one, it’s if we correlate with the industry. We know that, for example, a attack in a specific environment can cost you X in the average.
So we can also bring this information to you. But again, we need to go to you, understand your data, how critical is that to have the service availability and we can give you estimated value for that specific one.
[Jason Shockey] What if somebody doesn’t know what their critical assets are?
[Franz Fiorim] Then it’s a process that we can work together with you. Again, do asset inventory, understanding everything that you have there, checking how critical is that specific service. But again, it’s more a consultant process, but we can help you to that process.
[Jason Shockey] And then understanding the business, I think you mentioned that. What’s a typical implementation timeline? Let’s say somebody’s fully in the cloud, how long? If somebody’s hybrid, how long?
[Franz Fiorim] If it’s fully cloud and under the most, let’s say, major, let’s say, cloud providers, I give you the idea about per cloud account, it’s probably less than 15 minutes per cloud account. And if you have 100, let’s say a thousand cloud accounts, I have one customer that have more than 10,000 cloud accounts, they did the entire deployment in two days.
[Jason Shockey] That’s impressive. Thanks.
[Nick Espinosa] So that last answer kind of just gives me a bit of an understanding. The first thing that came into my head was the word dependency because cybersecurity tools can unintentionally create dependency. I mean, and think about what organizations rely on.
It’s AI, it’s sensors, it’s threat feeds, it’s automated remediation, SOC, score, all this kind of stuff. So what responsibility does trend micro have to prevent an over dependence or security vendor lock in, ethics situation here? If you’ve got 10,000 accounts you’re deploying in two days and they’re holistically in your network, I mean, how well are we going to play nice with others here?
I think it’s an important one because we’re always layering various solutions together.
[Franz Fiorim] Thank you for the question. I think first thing is remember that majority of the technology that you are implementing in your cloud environment usually consume APIs for the cloud provider, so public APIs. We also provide our APIs. That means if you want to forward the entire data lake that we have from your environment to a third party, we can do it.
And we are using open format to it. That means we are leveraging the public APIs from the cloud provider.
And we also share with you, if you want to, put the entire data, include telemetry data and in a format that everyone can use it. That means it’s easy to you to portable that specific to a third party solution. In addition to it, normally I don’t want to see any other secret vendor as a competitor because, again, the competitor in my point of view is the threat actor and the guys that are doing the bad things.
So we do have an integration of more than 100 different third party solutions, including all the secret vendors. So we can dump our entire solution and our entire information to have a platform to third party solution, including a secured solution.
[Nick Espinosa] Gotcha. So let me take it then into one more avenue here. Outside of third parties, obviously you’re integrating AI into detection response here, as everybody is. So where does Trend Micro really draw that line or that ethical boundary between automated decision making and human oversight, especially when we are looking at something like an automated block that could directly or material affect a sensitive business or a hospital or government service or something along those lines?
Where is that delineation for Trend Micro?
[Franz Fiorim] Yes, we have three approaches when you filed automation. Could be fully automated. That means the entire process is automated. And you can create exclusions. So this, this, this, this, this system, I don’t want to go that one, but could be fully automated.
Second one is partially automated. Someone needs to say yes or no. It means could be one specific senior engineer. It could be the manager, say, “Hey, I want that one to be executed.” But we’ll give you the summary of everything and someone needs to execute or not, say yes or no.
And third one is fully manual with steps. It means you can run it, but we need to have a SOC engineer or a response engineer to do it. But again, could be the three different levels. And with the fully automated one, it will give you the risk when you are implementing that.
So that means if you give a summary, what will be the risk if you fully implemented? Most of my customers right now, it’s partial automated at least for the critical assets. They say, “Hey, I want you to have inputs, I want you to execute it, but someone is to say yes or no.”
[Jason Shockey] So one question on analytical forecasting. If we have our assets fully in the cloud, we’re using CNAP where everything is running very smoothly, what kind of analytical forecasting is there, if it’s available, to say something like this?
This is the aspirational, I think, sentence that I want to give any board or any organization that I work with to help them out. Within 95% confidence, there is a 35% chance that we’re going to be breached from the latest pick your vulnerability. Can we do that if CNAP is fully employed in an ideal scenario?
[Franz Fiorim] Yes, You can. So just be aware. So we, Trend Micro, the company that’s going more through the ZDI. So ZDI, zero day initiative, and across the board, including AI infrastructure and AI applications. But what you mentioned right now, what we call potential attack path.
That means, based on the configures that you have in the cloud environment, could happen a breach in these and these specific service. That means we are trying to do the correlation, all of the assets, the permissions that you have it, how they communicate between themselves, and you give your prediction.
So this is the risk. If that happened, it can cost you X. That, we call potential attack path. And then it also give you steps, how can we reduce that risk or mitigate a complete specific risk. But yes, it’s possible and it’s through our potential attack path analysis.
[Jason Shockey] Have you seen CNAP lower cyber insurance premiums for organizations? That’s a question I get a lot from executives.
[Franz Fiorim] The cybersecurity insurance, normally they have a few topics that they want to check, so for example, MFA, if you have ETR. There’s a couple of things. I would love to see CNAP listed there, but I think only a few ones right now have CNAP listed and they’re reducing the premium right now.
I think it’s a path because as it happened with MFA with EDR, I think is coming to CNAP.
Last question
15:52.500
[Rich Stroffolino] All right, Franz, what’s one thing we didn’t ask about that we need to know?
[Franz Fiorim] I think first thing is AI protection. So right now, the way that Trend Micro provides the platform, we can leverage AI to help improve security in your environment, but we can also secure AI stacks. So if you guys are running any kind of AI infrastructure in the cloud or even if you’re on premise or in your private cloud with any video, for example, we can help you to protect those entire environments, including AI SPM, so AI secured posture management.
So it’s between identify the data that is maybe sensitive, also checking the prompt if the user is adding any kind of sensitivity data right there or not and then also protect against vulnerability in the AI infrastructure. So if you go, for example, ZDI.com, you see that there’s a bunch of different IEI stacks and AI models that have vulnerability and we can help you to protect.
Outro
16:47.400
[Rich Stroffolino] Well, that’s just about it for this episode of Security You Should Know. To learn more, head on over to trendmicro.com. And if you have any feedback for this show or for our panelists, send it to us, feedback@CISOseries.com. A big thank you to Nick and Jason for helping us learn more about what Trend Micro is doing here.
And thanks to you, Franz, for your time and being game to answer all of these questions. And thank you for listening to Security You Should Know.
[Voiceover] That wraps up another episode of Security You Should Know. If you like this program, please subscribe, tell your friends and leave us a review. All companies showcased on this program are sponsors of CISO Series. If your company would like to be spotlighted and interviewed by our security leaders, go to our contact page on CISOseries.com or just email us at info@CISOseries.com.
Thank you for listening to Security You Should Know, connecting security solutions with security leaders.